CVE-2021-3007

CRITICAL EXPLOITED IN THE WILD NUCLEI

Laminas Project laminas-http <2.14.2 - Code Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-3007 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 3 public exploits from researchers including Vulnmachines, KrE80r, yunus-a1i. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional PHP deserialization exploit for CVE-2021-3007, targeting Zend Framework 3. It constructs a malicious serialized payload using Zend classes to achieve remote code execution (RCE) via the `system` and `phpinfo` functions.

Description

Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized

Exploits (3)

nomisec WORKING POC 1 stars
by Vulnmachines · local
https://github.com/Vulnmachines/ZF3_CVE-2021-3007

This repository contains a functional PHP deserialization exploit for CVE-2021-3007, targeting Zend Framework 3. It constructs a malicious serialized payload using Zend classes to achieve remote code execution (RCE) via the `system` and `phpinfo` functions.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Zend Framework 3
No auth needed
Prerequisites: PHP environment with Zend Framework 3 · Ability to send serialized payload to vulnerable application
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by KrE80r · poc
https://github.com/KrE80r/cve-2021-3007-vulnerable

This repository provides a fully functional vulnerable test environment for CVE-2021-3007, an insecure deserialization vulnerability in Laminas/Zend Framework. It includes a Dockerized setup with a vulnerable PHP application that accepts and deserializes untrusted input, along with a pre-constructed payload for testing RCE.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Laminas HTTP < 2.14.2, Zend Framework 3.0.0
No auth needed
Prerequisites: Docker · Composer · PHP 8.1
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by yunus-a1i · remote
https://github.com/yunus-a1i/CVE-2021-3007-docker-poc

This repository contains a functional exploit for CVE-2021-3007, a PHP deserialization vulnerability in Laminas/Zend HTTP. It includes a Dockerized vulnerable environment, a standalone exploit script, and a Nuclei template for automated testing.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: laminas/laminas-http < 2.14.2, zendframework/zend-http <= 2.14.1
No auth needed
Prerequisites: Docker · Nuclei v3+ · PHP 7.4+
devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

Laminas Project laminas-http - Remote Code Execution
CRITICALVERIFIEDby 0xanis
Shodan: http.html:"laminas"

References (5)

Core 5

Scores

CVSS v3 9.8
EPSS 0.7531
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-01-14
InTheWild.io 2021-01-08
CWE
CWE-502
Status published
Products (4)
getlaminas/laminas-http < 2.14.2
laminas/laminas-http 0 - 2.14.2Packagist
zend/zend_framework 3.0.0
zendframework/zendframework 0Packagist
Published Jan 04, 2021
Tracked Since Feb 18, 2026